Canary Trap’s Bi-Weekly Cyber Roundup
Welcome to Canary Trap’s “Bi-Weekly Cyber Roundup”. At Canary Trap, it is our mission to keep you up-to-date with the most crucial news in the world of cybersecurity, and this bi-weekly publication is your gateway to the latest news.
This week’s cybersecurity round-up highlights a range of critical threats and developments. Researchers have uncovered a Golang-based backdoor leveraging Telegram for command-and-control communication, while Palo Alto Networks has confirmed active exploitation of a firewall vulnerability. Meanwhile, X (formerly Twitter) is blocking Signal contact links as malicious, and South Korea has paused downloads of DeepSeek’s AI apps due to privacy concerns. Additionally, the FBI has raised alarms over insider threat risks posed by Elon Musk’s young engineers, and the Ontario Provincial Police (OPP) are investigating a cyber incident affecting Kingston’s police service.
- Golang Backdoor Abuses Telegram for C&C Communication
A newly identified backdoor written in Golang has been observed leveraging Telegram for command-and-control (C2) operations, according to cybersecurity firm Netskope. Although still in development, the malware is fully functional and appears to have been created by a Russian developer, as indicated by a message it transmits to its C2 server.
Before installation, the malware executes an initialization function to check whether it is already running on the system. If not, it copies itself to a designated location, launches a new instance from that directory, and then terminates the original process. Once executed, the backdoor utilizes a Telegram token to establish a bot instance and continuously monitors a Telegram channel for incoming instructions. It interacts with Telegram through an open-source Go package, validating each command based on its length and content.
The malware currently supports four primary commands: executing PowerShell commands, relaunching under the svchost.exe process, capturing screenshots (though this feature is not yet functional), and initiating self-deletion. The results of executed commands are sent back to the attacker-controlled Telegram channel.
To run PowerShell commands, the backdoor requires two messages—one providing the instruction and another specifying the command to execute. In response to the first message, the malware replies with the prompt “Enter the command:” in Russian. When commanded to restart, it follows the same initialization checks before relaunching itself and exiting the current process. Although the screenshot function is non-operational, the malware falsely responds as if the action was successful.
For self-destruction, the malware removes the svchost.exe file from the system’s Temp directory, terminates its own process, and notifies the Telegram channel with a “Self-destruct initiated” message.
- Palo Alto Networks Confirms Exploitation of Firewall Vulnerability
Palo Alto Networks has confirmed that a recently patched firewall vulnerability, CVE-2025-0108, is being actively exploited in the wild. The flaw, which was publicly disclosed on February 12, 2025, allows unauthenticated attackers to access a device’s management interface and execute certain PHP scripts.
Security researchers from Assetnote, who initially discovered the vulnerability, released a detailed technical analysis on the same day that Palo Alto Networks issued patches and mitigations. Threat intelligence firm GreyNoise reported the first signs of exploitation on February 13, noting that nearly 30 unique IP addresses had attempted to leverage the flaw by February 18. While the exact objectives of these attacks remain unclear, GreyNoise classified them as malicious, indicating potential real-world threats rather than mere security research activity.
Palo Alto Networks has acknowledged these exploit attempts, updating its advisory to reflect in-the-wild exploitation. The company emphasized the importance of applying security patches immediately, particularly for internet-exposed PAN-OS management interfaces.
CVE-2025-0108 can also be chained with other vulnerabilities, such as CVE-2024-9474, to facilitate remote code execution. CVE-2024-9474, patched in November 2024, has been exploited alongside authentication bypass flaws like CVE-2024-0012. Palo Alto Networks confirmed that a proof-of-concept (PoC) exploit for CVE-2025-0108 is publicly available and is being actively leveraged in attacks.
Security experts warn that unpatched PAN-OS management interfaces remain at significant risk. The Shadowserver Foundation has identified approximately 3,500 exposed interfaces as of February 14, further underscoring the urgency of applying updates.
Addressing concerns about whether the disclosure of technical details may have facilitated exploitation, Assetnote stated that its research was coordinated with Palo Alto Networks. The company emphasized that attackers can often reverse-engineer patches quickly, and public disclosure helps defenders identify and respond to threats more effectively.
Organizations using PAN-OS are strongly urged to apply the latest security updates immediately and review their external-facing management configurations to minimize exposure.
- X Now Blocks Signal Contact Links, Flags Them As Malicious
Social media platform X (formerly known as Twitter) has started restricting access to links from “Signal.me,” a URL used by the Signal encrypted messaging app to facilitate account sharing.
Users attempting to share Signal.me links in public posts, direct messages, or profile bios are met with error messages citing potential spam or malware concerns. Based on testing conducted by BleepingComputer and reports from users, the platform appears to be specifically targeting “Signal.me” URLs, while other Signal-related links, such as Signal.org, Signal.link, and Signal.group, remain unaffected.
The issue was initially highlighted by journalist Matt Binder, who noted that the timing of the restriction remains uncertain. “It’s unclear when X blocked ‘Signal.me’ links on the platform,” Binder wrote. “However, this appears to be a recent change, as users were previously able to post ‘Signal.me’ links without issue.”
Signal.me links serve as personalized URLs generated within the Signal app, allowing users to share their contact information securely without directly exchanging phone numbers. The feature enhances privacy and simplifies communication between users.
Despite the block, existing Signal.me links posted before the restriction remain clickable, though they now trigger a warning message cautioning users that the link “may be unsafe.” Meanwhile, other third-party messaging services, such as Telegram, remain unaffected and can still be linked within X.
This incident draws parallels to past actions by X, particularly in 2023 when links to competing platforms such as Facebook, Instagram, and Mastodon were temporarily blocked following Elon Musk’s acquisition of Twitter. That decision was reversed after user backlash.
As of now, X has not provided an official explanation for the block, nor has it responded to media inquiries. Signal has also been contacted for comment, and further updates will be provided as more information becomes available.
- Downloads of DeepSeek’s AI Apps Paused in South Korea Over Privacy Concerns
South Korea has temporarily suspended downloads of Chinese AI startup DeepSeek’s chatbot applications over privacy concerns, according to South Korean officials.
South Korea’s Personal Information Protection Commission (PIPC) announced that DeepSeek’s apps were removed from the local versions of Apple’s App Store and Google Play on Saturday evening. The company has agreed to work with regulators to enhance its privacy protections before making the apps available again.
The suspension does not impact existing users who have already downloaded the app or those accessing it via personal computers. However, Nam Seok, director of the PIPC’s investigation division, advised South Korean users to either remove the app from their devices or refrain from sharing personal information until the privacy concerns are resolved.
Concerns over data security have led multiple government agencies and businesses in South Korea to restrict access to DeepSeek on their networks or prohibit its use for work-related activities. An ongoing review of DeepSeek’s services, initiated last month by the PIPC, revealed a lack of transparency regarding third-party data transfers and indications that the AI model may be collecting excessive personal information.
While the commission has not determined the exact number of DeepSeek users in South Korea, data from Wiseapp Retail suggests that during the fourth week of January, approximately 1.2 million smartphone users in the country engaged with the chatbot, making it the second most popular AI model after ChatGPT.
- OPP Investigating “Cyber Incident” Affecting Kingston, Ontario Police
The Ontario Provincial Police (OPP) are investigating a cybersecurity incident impacting the Kingston Police Service.
According to a statement released on Monday, Kingston police detected a network issue on Friday, which was later identified as a cybersecurity breach. The incident primarily affected non-emergency IT systems, though emergency response capabilities remain fully operational. The Kingston Police Service’s website was functional as of Monday evening, and a spokesperson was able to respond to media inquiries via email.
Upon discovering the issue, Kingston police took immediate steps to mitigate the impact, including restricting access to affected systems to safeguard data, personnel, and the organization. A dedicated response team, including third-party cybersecurity specialists, has been engaged to assist in the investigation and recovery efforts.
The OPP’s Cybercrime Investigations Team is leading the inquiry, though officials have not disclosed the nature of the breach. OPP spokesperson Bill Dickson noted that the investigation is still in its early stages. “Our primary focus remains on protecting the public and maintaining operations,” Kingston police stated. “We are actively implementing contingency plans to ensure continuity of service and are collaborating with government and law enforcement partners to restore full functionality. The Kingston Police Service Board, the Mayor, and the City of Kingston have also been informed and are offering their support.”
It is currently unclear whether this incident is connected to a separate cybersecurity event affecting the Upper Canada District School Board (UCDSB). Schools in the district, located east of Kingston, experienced internet disruptions beginning Sunday, which the UCDSB confirmed is an ongoing issue.
References:
https://www.securityweek.com/golang-backdoor-abuses-telegram-for-cc-communication/
https://www.securityweek.com/palo-alto-networks-confirms-exploitation-of-firewall-vulnerability/
